A user is identified using
an identity that must be authenticated
by WebSphere® Application
Server in order to access a WebSphere Application Server
application in a secure
environment.
Understanding the different types of identities:
The WebSphere Application
Server authenticates the user identity and represents the user with
a Java Authentication
and Authorization Service (JAAS) subject. A subject contains one or
more principals
(which are technology-dependent representations of the authenticated
user
identity). More detail follows:
- User identities
- Java EE
identity
- The user identity authenticated by WebSphere and
used for access control
decisions made by the WebSphere Application Server
at Java Platform,
Enterprise Edition (Java EE)
runtime (such as the user identity
associated with a Java EE application request and
used in EJB method permission
access control decisions).
- Operating system
(OS) identity
- The user identity authenticated by the underlying
operating system and
used for access control decisions made by the OS and its subsystems
(such
as the user identity associated with a WebSphere Application
Server for z/OS® servant
by the SAF STARTED class facility and used by the file system for
access control
decisions when the server attempts to access files).
- Thread identity
- Java thread
identity
- The Java EE
identity currently associated with a Java thread
managed by the WebSphere Java EE
runtime (a Java thread is the Java Virtual Machine (JVM) representation
of a thread). The Java thread identity is associated
with an operating
system (OS) thread, but the JVM manages the user identity on the Java representation
of the thread - separate from the user identity that the operating
system
manages on the operating system thread. The Java EE
identity is current on the Java thread
for the life of the a given application request
- OS thread identity
- The operating system identity currently
associated with the operating
system thread. The OS thread identity is typically the user identity
assigned
to servant and is normally not the same as the Java thread
identity. Note that Java EE
maintains a Java EE identity that corresponds
to the OS thread identity
assigned to the servant. This Java EE
identity can be used as a RunAs
identity.
- RunAs identity
- The Java EE identity chosen as the Java thread
identity for a given Java EE
application request (based on the
RunAs deployment descriptor policy on an Enterprise JavaBeans (EJB)
invoked within the Java EE application request). The Java EE
identity is normally the identity of the authenticated user who has
made the Java EE
application request. WebSphere Application Server
RunAs policy allows
three choices in assigning the Java thread
identity for the current request:
- Assign the client (for example, user) Java EE
identity - also referred to as selecting
RunAs of "Caller"
- Assign the server's Java EE
identity
- Assign the Java EE
identity that is in the specified role
When security is enabled, each WebSphere Application
Server for z/OS request
that invokes a Java EE component is authenticated
to ensure that an
authorized user is requesting access. A user is represented by a Java EE
identity (also called a JAAS subject). This Java EE
identity contains one or more principals,
and each principal corresponds to a specific user identity. This association
is managed by the WebSphere Application Server.
The Java EE
identity and operating system OS thread identity are associated with
each
other because they have the same name and represent the same user.
WebSphere Application
Server for z/OS dispatches
component requests in one of its available servant processes. Within
the servant
process the component request is dispatched on a Java thread.
A Java thread is then mapped internally by
the JVM to a z/OS thread
control block (TCB). A TCB is an operating system thread and is considered
part of the native process infrastructure. A servant process has a
OS identity
assigned to it when it starts. The z/OS security
policy uses the SAF STARTED
class facility to assign the identity.
Java EE
authorization decisions including role authorization and permission
checking
are determined using the Java EE
identity. Through a configuration
setting, role authorization checking can be delegated to the underlying
operating
system security manager (such as System Authorization Facility (SAF)),
in
which case the associated operating system OS identity is used in
the role
authorization decision.
Some resource managers on z/OS use
the OS thread identity to make authorization
decisions. For example, file system access control is determined entirely
based on which OS thread identity is currently on the TCB when the
file is
accessed. Similarly, local Java database
connectivity (JDBC) connections
to DB2® for z/OS use
the TCB OS thread identity as the authorization identity under certain
configurations.
For resource managers that use the OS thread identity such as DB2 for z/OS (and
unlike
the file system) that applications access through Java Message
Service (JMS), JDBC, or Java EE
Connector Architecture (JCA) connectors managed by the WebSphere Application
Server for z/OS connection
management, we say that the connectors to these z/OS resource
managers "use operating system
thread security".
For more information, refer to: